Malware Analysis Report

2024-10-23 21:33

Sample ID 220521-cd5ayadga3
Target e398d25e5ee3fa2ef17eda10103e1c39c7ddc36b9ccd06d3de5c1cc25141fe76
SHA256 e398d25e5ee3fa2ef17eda10103e1c39c7ddc36b9ccd06d3de5c1cc25141fe76
Tags
masslogger collection coreentity ransomware rezer0 spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e398d25e5ee3fa2ef17eda10103e1c39c7ddc36b9ccd06d3de5c1cc25141fe76

Threat Level: Known bad

The file e398d25e5ee3fa2ef17eda10103e1c39c7ddc36b9ccd06d3de5c1cc25141fe76 was found to be: Known bad.

Malicious Activity Summary

masslogger collection coreentity ransomware rezer0 spyware stealer

MassLogger

MassLogger log file

MassLogger Main Payload

CoreEntity .NET Packer

ReZer0 packer

Reads user/profile data of web browsers

Checks computer location settings

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

outlook_office_path

Suspicious behavior: AddClipboardFormatListener

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-05-21 01:58

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-05-21 01:58

Reported

2022-05-21 03:03

Platform

win7-20220414-en

Max time kernel

79s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\order.exe"

Signatures

CoreEntity .NET Packer

coreentity
Description Indicator Process Target
N/A N/A N/A N/A

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

ReZer0 packer

rezer0
Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1596 set thread context of 932 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1596 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1596 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1596 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1596 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Windows\SysWOW64\schtasks.exe
PID 1596 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1596 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1596 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1596 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1596 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1596 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1596 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1596 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe
PID 1596 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\order.exe

"C:\Users\Admin\AppData\Local\Temp\order.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IAEInhcV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF2E.tmp"

C:\Users\Admin\AppData\Local\Temp\order.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 3.220.57.224:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.gmail.com udp
US 142.250.102.109:587 smtp.gmail.com tcp

Files

memory/1596-54-0x0000000000E40000-0x0000000000F94000-memory.dmp

memory/1596-55-0x00000000070A0000-0x000000000716C000-memory.dmp

memory/1596-56-0x0000000075781000-0x0000000075783000-memory.dmp

memory/1596-57-0x00000000002B0000-0x00000000002B8000-memory.dmp

memory/1596-58-0x0000000004400000-0x00000000044B8000-memory.dmp

memory/1192-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF2E.tmp

MD5 dfea9e326dd2cd0fafb2e3f90147b655
SHA1 d7e9816e224b15d0b2b82363529495cecfaa88bd
SHA256 774f6d48263a3f1bd694784c318d6c7d07a56e1db009c7373268b624a0310de6
SHA512 8f701f849f85adcd90fd5bf96abdc945d60dc9d3911dc3d5a79b8ad8b2626160fcbe43b689628d62dddfbe024bca3ae8908156bdd76248ea24e6c3f54df83f43

memory/1596-61-0x0000000004DE0000-0x0000000004E90000-memory.dmp

memory/932-62-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-63-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-65-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-66-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-67-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-68-0x00000000004AB6EE-mapping.dmp

memory/932-70-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-72-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-74-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-76-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-78-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-80-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-82-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-84-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-86-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-88-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-94-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-92-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-98-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-96-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-100-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-90-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-102-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-106-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-104-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-110-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-108-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-112-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-114-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-116-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-118-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-122-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-124-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-120-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/932-583-0x00000000003C0000-0x0000000000404000-memory.dmp

memory/932-585-0x0000000004E55000-0x0000000004E66000-memory.dmp

memory/932-586-0x0000000000B80000-0x0000000000B94000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-05-21 01:58

Reported

2022-05-21 03:02

Platform

win10v2004-20220414-en

Max time kernel

99s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\order.exe"

Signatures

MassLogger

stealer spyware masslogger

MassLogger Main Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

MassLogger log file

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\15.0\Outlook\Profiles\Outlook C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4844 set thread context of 1816 N/A C:\Users\Admin\AppData\Local\Temp\order.exe C:\Users\Admin\AppData\Local\Temp\order.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\order.exe N/A

outlook_office_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A

outlook_win_path

Description Indicator Process Target
Key queried \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\order.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\order.exe

"C:\Users\Admin\AppData\Local\Temp\order.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\IAEInhcV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB693.tmp"

C:\Users\Admin\AppData\Local\Temp\order.exe

"{path}"

Network

Country Destination Domain Proto
NL 104.97.14.80:80 tcp
US 93.184.220.29:80 tcp
US 20.189.173.6:443 tcp
US 8.8.8.8:53 api.ipify.org udp
US 3.232.242.170:80 api.ipify.org tcp
US 8.8.8.8:53 smtp.gmail.com udp
US 142.250.102.109:587 smtp.gmail.com tcp
CH 173.222.108.226:80 tcp
US 204.79.197.203:80 tcp
NL 104.97.14.80:80 tcp

Files

memory/4844-130-0x0000000000950000-0x0000000000AA4000-memory.dmp

memory/4844-131-0x000000000AA90000-0x000000000AB22000-memory.dmp

memory/4844-132-0x000000000B0E0000-0x000000000B684000-memory.dmp

memory/4844-133-0x000000000AA40000-0x000000000AA4A000-memory.dmp

memory/4844-134-0x0000000005B70000-0x0000000005C0C000-memory.dmp

memory/2448-135-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB693.tmp

MD5 4ef06db3c11240dba5ce528f78112a35
SHA1 f63d4be11920f0d9de1e66822ae0d05307e6c2ff
SHA256 3529287c690191ff0260956f8dbb7da62a4b842197d12c09577a6075001e44b7
SHA512 cf01c3f322bf3775a2fc9bb7292da31995e41994df7b055140c213002c3c2c9160693b4fc524ab619c9e2d961aa42d87041c25bca486e8987285182ca4fb94e5

memory/1816-137-0x0000000000000000-mapping.dmp

memory/1816-138-0x0000000000400000-0x00000000004B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\order.exe.log

MD5 45242be47e5fefb0e8ca1070ed4d9b98
SHA1 42d6890eaae85ad3423231b13e6f96e1a93c8165
SHA256 d9bde55febcd84b87cbe03e0a754bf24337f479c55f9853f5e991e24e5da2b3f
SHA512 d0c7c161749ec6310733d16159be5af15614744749396d785f84652c74a1ca09b4418eac99f3edc6c5922d6e264ba9bdc219359878199fed6c05326041115ae8

memory/1816-141-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-143-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-145-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-147-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-149-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-151-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-153-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-155-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-157-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-159-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-161-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-163-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-165-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-167-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-169-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-171-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-173-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-175-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-177-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-179-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-181-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-183-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-185-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-187-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-189-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-191-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-193-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-195-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-197-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-199-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-201-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1816-650-0x0000000005C20000-0x0000000005C86000-memory.dmp

memory/1816-651-0x0000000007440000-0x0000000007490000-memory.dmp